Ransomware is a familiar plague in the online world \u2013 it has existed for more than 25 years and become increasingly common during the past decade.But, until recently, it has been aimed more at organizations or individual computers than devices. And that is changing. With the explosive growth of the Internet of Things (IoT) \u2013 estimates of how many connected devices will be in use by 2020 range all the way up to 200 billion \u2013 experts say it is about to get much more common at the consumer level. An attack surface that broad and that vulnerable is irresistible to cybercriminals.[ ALSO: Many ransomware victims plead with attackers ]Most of the headlines so far are still about organizational breaches \u2013 one of the most\u00a0recent was at the Hollywood Presbyterian Medical Center in Los Angeles, which paid a $17,000 ransom demanded by hackers who had installed malware that encrypted files on some of its devices.Even police departments have been among the victims, which usually end up paying a ransom that is not crippling but an ominous reminder that the encryption in such attacks is generally so robust that even experts cannot defeat it.At the consumer level, the individual ransom demands are not expected to be huge either, since the number of potential victims offers the promise of enormous wealth to savvy criminals.Some experts have been\u00a0predicting for more than a year that consumer ransomware will become so common that it could become an annoying but routine part of the cost of living.They say people could end up paying $20 to $100 or more a month in \u201crent\u201d to digital mobsters just to make sure their car will start in the morning, their doors and windows won\u2019t get unlocked remotely, their electric bill won\u2019t show twice the actual energy use, their appliances won\u2019t go haywire and their TV won\u2019t turn into a spy camera. There is the realistic possibility that a ransom could be demanded to keep an embedded medical device from turning lethal.Indeed, connected consumer devices range from TVs to cars, online gaming, toys, guns, wearable fitness trackers, smart appliances, thermostats, lights, wall switches, couches, toothbrushes, motion sensors, garage doors, baby cams, home security systems, utility monitoring, smoke alarms, embedded medical devices \u2013 just about anything that could be connected.The hack can happen at any time from manufacturing to firmware updates past the production phase.As Chris Hadnagy, founder, CEO and chief human hacker at Social-Engineer, put it at the time, \u201cImagine a world where a whole network can be compromised from a coffee machine \u2013 you don't have to imagine it \u2013 I have seen it first hand. Network-enabled devices means that someone can alter, adjust, spy, listen and use that device in any way they want if they compromise it.\u201dEven with all those warnings, compromising them remains alarmingly easy. Most do not have even basic security built in. And when vulnerabilities are discovered, it is not always easy or even possible to update or patch them.So, not surprisingly, while it has not made major headlines, the growth of consumer-level breaches and ransomware is showing up in statistics. The FBI issued a\u00a0statement last June that it had logged 992 complaints related to just one variant of ransomware, CryptoWall, between April 2014 and June 2015, with combined losses of\u00a0$18 million.That is expected to get worse. \u201cWe will see increase in IoT-based breaches,\u201d said Sundaram Lanskmanan, vice president of technology at CipherCloud. \u201cEvery device\u00a0that\u2019s getting rolled out these days seems to have Internet connectivity. The hack can happen at any time from manufacturing to firmware updates past the production phase.\u201dMore than just the loss of money or data is at stake as well. \u201cThere is a big difference between losing computer data and the safety risks involving a house or car,\u201d said Will Dormann, senior vulnerability analyst in the CERT division of the Carnegie Mellon Software Engineering Institute.\u201cWhen you have more real-world devices connected, there can be risks involving human life, which are obviously much more serious," he said.There is a big difference between losing computer data and safety risks involving a house or car.Dan Geer, CISO at In-Q-Tel and an adviser to U.S. intelligence agencies, raised another ominous possibility. He said money is likely to be the prime incentive in the early stages of IoT attacks, \u201cbut for the long haul, disinformation in sensor nets may well be of interest, as will the marshaling of things into, shall we say, zombie armies.\u201cAs M. Hathaway said in the 60-day\u00a0'Cyberspace Policy Review' at the outset of Obama's first term, the primary targets at the national level are the defense industrial base and the tech firms with global dominance; the secondary targets are the counterparties of the above; and the tertiary are any devices that can be a platform for attacks on the secondary,\u201d he said.It also creates potential legal nightmares. Lanskmanan noted that while cars are required by federal regulation to have things like operating taillights, \u201cif an IoT hacker disabled that taillight on a freeway, who will be held responsible?\u201dOf course it is possible for the market to punish vendors for security failures by refusing to buy products that become known for being easily hackable.But Dormann said the practical reality is that most consumers don\u2019t think much about security when they buy \u201csmart\u201d devices \u2013 they focus on features and price. \u201cSecurity is usually not part of the purchasing decision,\u201d he said.Or, as encryption guru, author and CTO of Resilient Systems, Bruce Schneier, has put it more than once, \u201cPeople don\u2019t care because they don\u2019t know enough to care.\u201dThe reality is not all bleak, however, say experts like Zach Lanier, director of research at Cylance. He noted that many consumer devices, \u201cmay not store enough data locally to make it worth locking out the user, not to mention that a factory reset may clear up the issue \u2013 assuming the attacker hasn't tampered with or otherwise flashed malicious, backdoored firmware.\u201dVendors are generally becoming more acquainted with secure development practices, vulnerability handling, and the like.Also, given the awareness of the growing threat, there are growing efforts to address its security risks. Those initiatives include BuildItSecure.ly, the\u00a0Cloud Security Alliance IoT working group, the\u00a0BSIMM and the Open Web Application Security Project (OWASP).Lanier, who is involved with BuildItSecure.ly, said the goal is to, \u201cidentify the various components that make up an IoT device, as well as the supporting services, and their respective vulnerabilities and threats; and help educate vendors and customers on the necessary steps to ensure the security of these products and platforms.\u201dAnother example is a\u00a0report released earlier this month by the IEEE Center for Secure Design titled \u201cWearFit: Security Design Analysis of a Wearable Fitness Tracker,\u201d which pointed to security flaws the wearable industry should address and proposed security guidelines for those devices.And Brian Witten, senior director, IoT, at Symantec, said his firm is pushing what it calls \u201cfour cornerstones of security\u201d for IoT devices, which include having the capability for field updates.Without the ability to update your devices, you have no way to predict how they'll be attacked in the years to come, and attackers are quite nimble.\u201cWithout the ability to update your devices, you have no way to predict how they'll be attacked in the years to come, and attackers are quite nimble,\u201d he said.Field updates carry their own risks, however. Geer, in a BlackHat keynote address, noted that if devices have remote management interfaces, \u201cthe opponent of skill will focus on that and, once a break is achieved, will use those self-same management functions to ensure that not only does he retain control over the long interval but, as well, you will be unlikely to know that he is there.\u201dGeer recommended that embedded systems become more like humans \u2013 in that they would, \u201cbe certain to die no later than some fixed time,\u201d and therefore be replaced.All of those, however, could be described as \u201ccarrot\u201d incentives for better IoT consumer security \u2013 they offer assistance and encouragement, but no sanctions for lax security.And there are currently no laws that mandate specific security requirements for IoT consumer devices. There is not even an established seal of approval from an Internet organization comparable to Underwriters Laboratories (UL) which, as Dormann put it, tests and certifies products so, \u201ca consumer has some amount of certainty that it won\u2019t burn your house down.\u201dBut the \u201cstick\u201d incentive is developing, if gradually. The Federal Trade Commission (FTC), in a\u00a0report issued more than a year ago, recommended that Congress pass, \u201cstrong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach.\u201dBeyond that, the agency said that IoT device developers, \u201cshould build security into their devices at the outset, rather than as an afterthought,\u201d and that the process should include, \u201ctesting their security measures before launching their products.\u201dVendors who fail to do that could be targeted by the FTC. Just this week, the Taiwan-based computer hardware maker ASUSTeK Computer agreed to a\u00a0settlement with the agency over charges that security flaws in its home routers, \u201cput the home networks of hundreds of thousands of consumers at risk.\u201dMost home routers are notoriously insecure, but the FTC\u2019s action in this case could be the first signal that there could be government consequences for it.Jarad Brown, an attorney with the FTC\u2019s Bureau of Consumer Protection, noted that even without specific legislation, the failure to provide security to devices could amount to \u201cunfairness or deception\u201d \u2013 practices that can result in FTC sanctions.Geer recommended several changes that would promote better security, including strict liability for developers to replace \u201c100-page EULAs (End User License Agreements),\u201d in which the consumer has to agree that just about any problem is not the fault of the developer or manufacturer.He also said \u201cindependent, destructive testing\u201d would help, and added that this may actually be in the works since UL, and major reinsurers like Zurich and GenRe, \u201care making some useful noises.\u201dLanier is optimistic that things will improve. He noted that part of the challenge is just keeping up with the pace of technology \u2013 numerous companies have produced products like smoke alarms, thermostats and even toys for decades that never had Internet connectivity, and now they do.\u201cHowever, slowly but surely, this is changing overall,\u201d he said. \u201cVendors are generally becoming more acquainted with secure development practices, vulnerability handling, and the like.\u201dWitten agreed. \u201cWe're working with a number of organizations to make it easier for customers to know how much security has been built into the devices and systems that they are considering purchasing,\u201d he said.